On the Age of Pseudonyms in Mobile Ad Hoc Networks Julien Freudiger, Mohammad Hossein Manshaei, Jean-Yves Le Boudec and Jean-Pierre Hubaux Infocom 2010

Get Location Cellular networks GPS Wifi IP 2 Share location Twitter Flickr Google search Foursquare Loopt Google Latitude Ovi … Location-based Applications

Context-based Applications 3 Sense neighborhood Ad hoc communications RFID Communicate Vehicular Networks Proximity-based Social Networks Opportunistic communications Delay-tolerant networks …

Locality is one contextual information most useful when combined with others 4 Hyper-connected World

5 S POTRANK by Skyhook wireless Provides insight into human behavior Enables localized services Helps city planners Location

“Understand urban construct through the interaction of its parts” 6 Petra Kempf, Architect and Urban Designer You Are the City

Privacy Threat Human movement is highly predictable and follows simple reproducible patterns Visited locations reveal – Personal activities – Professional activities – Social activities 7 C. Song, Z. Qu, N. Blumm and A.-L.Barabasi. Limits of Predictability in Human Mobility. Science 2010

Location is identity 8

“It’s not where you are, it’s where you have been” 9 Gary Gale, Yahoo

G OAL Control location disclosure 10

This Paper Consider – Context-based applications – Ad hoc wireless communications – Mix zones to prevent tracking of users Contribution – Measure achieved location privacy using the distribution of age of pseudonyms 11

Ad Hoc Networks (Peer-to-Peer Wireless Communications) Message Signature + certificate Identifier Pseudonym

Assumptions N mobile nodes WiFi/Bluetooth enabled Ad hoc communications Certification authority (CA)

Threat: Tracking Global passive eavesdropper tracks location of mobile nodes

Solution: Mix Zones 15 Mix zone x x y y ? A. Beresford and F. Stajano. Mix Zones: user privacy in location aware services. Percom, 2004 M. Li et al. Swing and Swap: User-centric approaches towards maximizing location privacy. WPES, 2006 Temporal decorrelation: Change pseudonym Spatial decorrelation: Remain silent

Gain and Cost 16 Gain Tracking uncertainty of adversary (entropy) Depends on number of nodes in mix zone and trajectory Cost γ Obtain new pseudonym Update routing tables Silent period

Mix Zones Mix network Mix networks vs Mix zones 17 Mix node Mix node Mix node Mix node Mix node Mix node Alice Bob Alice source Alice destination

The Problem 18 Can we measure the location privacy achieved with a network of mix zones?

Outline 1.Age of Pseudonym: A Metric for Location Privacy 2.Dynamical System: Mean Field Equations 3.Analytical Results 4.Numerical Results 19

Age of Pseudonym Adversary can track nodes between mix zones Mix zone = confusion point 20 Mix zone 1 Mix zone 2 T RACEABLE Older age of pseudonym results in lower location privacy Age of PseudonymLocation Privacy

Evolution of Age of Pseudonym 21 2 E2E2 1 E1E1 E 2 :Success E 1 : Success E 3 :Failure 3 E3E3 Age: A A

Outline 1.Age of Pseudonym: A Metric for Location Privacy 2.Dynamical System: Mean Field Equations 3.Analytical Results 4.Numerical Results 22

Mean Field Theory Replace interactions between nodes with average interaction 23 M. Benaım and J.-Y. Le Boudec. A class of mean field interaction models for computer and communication systems. Performance Evaluation, 65(11-12):823–838, 2008

Goal Measure probability distribution of a certain state – CDF of the age of pseudonym Mean field theory says “CDF is known to satisfy ordinary differential equations when N goes to infinity” 24

Model Parameters Communication model – : Communication rate Mobility Model – η: Rate of meetings – : Average number of nodes in meetings Cooperation model – c(z): Probability of cooperation at age z 25

26 Mean Field Equations: Drift Process At each time step, the age of pseudonym is incremented with rate 26

Mean Field Equations: Jump Process (1) can successfully change its pseudonym c(z): Probability of cooperation of node with age z q(t): Probability of finding at least one cooperative node  : Rate of meetings 27

28 Mean Field Equations: Jump Process (2) cannot find a cooperative partner

29 Mean Field Equations

Outline 1.Age of Pseudonym: A Metric for Location Privacy 2.Dynamical System: Mean Field Equations 3. Analytical Results 4.Numerical Results 30

Stationary mode (t goes to infinity) Cooperation is a threshold function 31

Mean Field Equation 32

Solution: PDF of the Age of Pseudonyms 33

Outline 1.Age of Pseudonym: A Metric for Location Privacy 2.Dynamical System: Mean Field Equations 3.Analytical Results 4.Numerical Results 34

Gamma Cost of Pseudonym change 35 Constant -- f(0) Exponential Exponential X Polynomial Result 1: High  results in older pseudonym distribution because of second jump process  = 5, =1, c 0 =1

Theta Cooperation Threshold 36 Result 2: High  results in older pseudonym distribution because there is less cooperation.  = 5, =1, c 0 =1

Lambda Communication rate 37 Result 3: High results in older pseudonym distribution because pseudonym ages faster.  = 1,  =5, c 0 =1

Average number of nodes in meeting 38 Result 4: High N results in younger pseudonym distribution because it is easier to find cooperative nodes.  = 1,  =5, c 0 =1, =1

Model Validation 39 Random walk model 10km X 10km Transmission range: 100 meters Run simulation until convergence

Conclusion Developed a framework to measure the distribution of age of pseudonyms Main result: Possible to design system with low distribution of age of pseudonym Obtained a fundamental building block of location-privacy-preserving systems 40 lca.epfl.ch/privacy twitter.com/jfreudiger